Most rail operators now recognize the powerful, wide-ranging benefits of digital technologies. But as digital systems become more widespread, do they fully understand the expanded cyber threats they face, especially since railways are prime public targets? And are they also learning the best ways to protect their assets and their communities as advances in quantum computing introduce greater risks?
The following questions can help you establish and maintain a comprehensive security framework to minimize dangers to passengers and operations.
Are you staying up to date on the latest vulnerabilities?
It’s important to realize that, when railway operations are digitalized, it creates more complexity and inter-dependencies between systems — and that offers hackers more ways to intrude. Often, the most vulnerable links are found in communications systems, as described in a March 2023 report by the European Union Agency for Cybersecurity (ENISA).
But soon after that report was published, hostile groups began targeting operational technology (OT) systems. In August 2023, for example, a group of state-sponsored hackers compromised the integrity of the Polish national railway network’s radio signaling system, then issued a false command that stopped 20 trains. The following month, the electrical infrastructure of Israel’s railroad network was attacked by state-sponsored hackers that used a phishing campaign.
Have you read about emerging exploits?
Hackers are now using three familiar types of attack in new ways, including disrupting OT systems.
- Eavesdropping is a classic type of IT-based intrusion used to collect sensitive data, such as login information, operating commands and system control messages. Currently, hostile groups can act on that data immediately. Or they can use it to learn how a system works, then create devastating attacks later. The quantum era has introduced a new “harvest-now-decrypt-later” exploit. Which means any encrypted data hackers collect can be held until they possess quantum computing powers that are able to decrypt it.
- Man-in-the-middle attacks raise eavesdropping to the next level by modifying the communications that are being monitored. The attack on the Polish rail system reported by ENISA would have worked this way, by modifying system commands so that 20 trains were stopped. If a signaling system is compromised, anything is possible — including sending conflicting interlocking (IXL) signals to cause a head-on collision.
- Denial of service (DoS) attacks compromise the availability of critical systems. They accomplish this by overwhelming targeted devices with traffic, which appears to come from legitimate senders. The sheer volume of traffic leaves the systems unable to execute essential tasks. For example, if a DoS attack floods a railway’s traffic management system in a control center, it simply cannot maintain effective control of train movements across the network.
Do you know the value and limitations of encryption?
Encryption is becoming an increasingly important tool for protecting data integrity. In simple terms, it scrambles messages when they’re sent and unscrambles them when they’re received. If hackers capture the data “in flight,” it appears meaningless, without the decoding scheme.
The security level of encryption depends solely on the intense computational efforts required to decode it. The goal is to make the money and effort needed to break the coding scheme so great that it outweighs the potential reward of having the data. However, the growing development of quantum computing is a looming threat to the effectiveness of many currently popular public key encryption algorithms, including Diffie-Hellman and Rivest-Shamir-Adleman (RSA).
Solutions: creating comprehensive cybersecurity in the quantum age
Of course, cybersecurity for individual network elements is essential, but a comprehensive in-depth approach is just as important. Chiefly because the most vulnerable points of railway systems are often located in the interstices and communications between sub-systems. So a holistic defense-in-depth security framework, with multiple protection mechanisms, is required for a quantum-safe communications network.
Secure data transport starts by meeting the well-established standards already set out by regulators — as OT data flows through the various dense wavelength-division multiplexing (DWDM) switches, Ethernet switches and Internet Protocol (IP) and Internet Protocol Multi-Protocol Label Switching (IP/MPLS) routers.
Then traffic encryption has to be strengthened, by using a robust key distribution server and symmetric key encryption. For instance, when advanced encryption standard (AES) has a session key length of at least 256 bits, it currently offers robust initial protection against quantum attacks at the network transport layers. And in the future, post quantum cryptography algorithms that scale easily at the application layer will offer further protection for network users.
While security is a pressing concern, rail operators can help ensure the safety of our transport, while still gaining the benefits of digitalization. The key is to take a holistic and conservative approach designed to protect sensitive data, maintain the integrity of operations and safeguard against potential disruptions.
For more detailed information on how to enhance railway security in the quantum era, download our white paper, Strengthening railway communications network security.